Lab 02 - Network Configuration

In this lab, you will be configuring network connections, routing, and the firewall. You should have added two interfaces to your VM in the previous labs. The first interface is connected to a NAT/NAT Network and provides your Linux VM with access to the internet. The second interface is connected to a host-only network. Both interfaces are currently using DHCP to obtain IP addresses.

Leave the first interface connected to the NAT/NAT Network to continue using DHCP, so that we do not lose the ability to access the internet. Since we will be using the second interface to provide services to our local network, such as web, email, and other services that we will be configuring later on in this course, we will be configuring a static IP and applying other configurations to this interface.

Please note that most of the commands in this lab require root. Use the user account with your first name for all these labs, except otherwise noted.

Install Software

Install the ethtool, cockpit, nmap, ufw, and traceroute packages. You may find some of these are preinstalled on your system.

sudo apt update
sudo apt upgrade
sudo apt install ethtool cockpit nmap ufw traceroute
sudo apt update
sudo apt upgrade
sudo apt install ethtool cockpit nmap ufw traceroute

Set Up Static Address for Your Second Interface

Use ip addr show to find your current IP address and the logical names of your interfaces. You will want to continue to use the same network number and mask to avoid having to reconfigure the virtual network it is attached to. Change the host part to be host number 99. So if you had an address of 192.168.xxx.4/24, your new address will be 192.168.xxx.99/24. Create a new netplan config file named /etc/netplan/80-comp1071.yaml and put a static address configuration in it for your second interface.

NOTICE: The YAML format uses blank spaces in front of each file to identify hierarchy. The spaces characters are required to be space bar, and NOT tab, so do NOT use the tab button.

In file /etc/netplan/80-comp1071.yaml:

network:
  version: 2
  renderer: networkd
  ethernets:
    ens34:         # Make sure to use the correct interface name from your system
      addresses:
        - 192.168.xxx.99/24   # Make sure to use the correct IP address from your system
network:
  version: 2
  renderer: networkd
  ethernets:
    ens34:         # Make sure to use the correct interface name from your system
      addresses:
        - 192.168.xxx.99/24   # Make sure to use the correct IP address from your system

In the config file put into /etc/netplan by the Ubuntu installer, disable the lines for the second interface by putting # at the start of those lines. In installer-created YAML files:

network:
    ethernets:
        ens33: # Make sure to use the correct interface name from your system
            addresses: []
            dhcp4: true
#        ens34:     # Comment out or remove the lines related to your second interface
#            addresses: []
#            dhcp4: true
#            optional: true
    version: 2
network:
    ethernets:
        ens33: # Make sure to use the correct interface name from your system
            addresses: []
            dhcp4: true
#        ens34:     # Comment out or remove the lines related to your second interface
#            addresses: []
#            dhcp4: true
#            optional: true
    version: 2

Execute netplan to test and apply the new configuration.
NOTICE: If you are connected to your system via SSH, you will need to reconnect to the correct IP address when you try to apply the settings. You can have a second terminal open and ready to connect to the new IP in order to test. Once you have verified that your new IP address works, you can use netplan apply to make changes permanent.

# This will allow you to test your settings for 120 seconds to ensure they are correct and there are no errors and issues
sudo netplan try

# If you receive errors, you can correct issues with your YAML files
# If you need to debug your YAML files or cannot find where the error in your file is, use:
# sudo netplan --debug generate
# 
# The following will apply the settings from the YAML files to your network interfaces, making the configurations permanent
sudo netplan apply

# Verify your IP addresses are correctly applied to interfaces
ip address show

# Use ping to verify connectivity to localhost via the IP, and your host OS 
# Note: Windows 11 firewall will block ICMP by default, so ping from your Linux VM may not work
# Use the CLI in your Host OS to ping your Linux VM instead to verify connectivity
ping -c 1 192.168.xxx.99
ping -c 1 192.168.xxx.1   # Ping the host OS (it can be host address 1 or 2, depending on your Virtualization software)
ping -c 1 192.168.xxx.2
# This will allow you to test your settings for 120 seconds to ensure they are correct and there are no errors and issues
sudo netplan try

# If you receive errors, you can correct issues with your YAML files
# If you need to debug your YAML files or cannot find where the error in your file is, use:
# sudo netplan --debug generate
# 
# The following will apply the settings from the YAML files to your network interfaces, making the configurations permanent
sudo netplan apply

# Verify your IP addresses are correctly applied to interfaces
ip address show

# Use ping to verify connectivity to localhost via the IP, and your host OS 
# Note: Windows 11 firewall will block ICMP by default, so ping from your Linux VM may not work
# Use the CLI in your Host OS to ping your Linux VM instead to verify connectivity
ping -c 1 192.168.xxx.99
ping -c 1 192.168.xxx.1   # Ping the host OS (it can be host address 1 or 2, depending on your Virtualization software)
ping -c 1 192.168.xxx.2

Add VLANs

In this step, you are creating 3 vlan interfaces linked to your host-only interface. You are adding the following configuration to your /etc/netplan/80-comp1071.yaml file:

   vlans:
     en-vl10:
       id: 10
       link: ens34 # Make sure to use the correct interface name from your system
       addresses:
         - 172.16.3.2/24
     en-vl20:
       id: 20
       link: ens34
       addresses:
         - 172.16.4.2/24
     en-vl30:
       id: 30
       link: ens34
       addresses:
         - 172.16.5.2/24
   vlans:
     en-vl10:
       id: 10
       link: ens34 # Make sure to use the correct interface name from your system
       addresses:
         - 172.16.3.2/24
     en-vl20:
       id: 20
       link: ens34
       addresses:
         - 172.16.4.2/24
     en-vl30:
       id: 30
       link: ens34
       addresses:
         - 172.16.5.2/24

Run netplan apply to apply the new configuration. Run ip addr show and verify that your second interface has the three VLAN addresses showing on it. Verify that you can successfully ping your new addresses.

ping -c 1 172.16.3.2
ping -c 1 172.16.4.2
ping -c 1 172.16.5.2
ping -c 1 172.16.3.2
ping -c 1 172.16.4.2
ping -c 1 172.16.5.2

Use ip link show and ip addr show to view your configured interfaces. Note the IP and MAC addresses. Use sudo lshw -C network and sudo ethtool <interfacename> to review the types of information available from these commands.

Configure Private Routes and Enable Routing

Use ip route show to view your route table.

Use sudo ip route add 172.16.6.0/24 via 172.16.3.1 to add a private static route to a fictitious network through a fictitious router with the address 172.16.3.1. Run ip route to show the addition to your route table. Use traceroute 172.16.6.1 to show an attempted trace to the fictitious network. Observe the unreachable host indication. Use traceroute gc.blackboard.com to view a more successful traceroute.

Set Up Persistent Static Routes in netplan

We will not be setting up additional virtual machines, but we can simulate having a larger network. Add two persistent routes to fictitious networks through two of your VLAN interfaces. Modify your /etc/netplan/80-comp1071.yaml file in the sections for the vlans to add the desired routes. The result should look like the following in the file /etc/netplan/80-comp1071.yaml:

    vlans:
      en-vl10:
       id: 10
       link: ens34
       addresses:
         - 172.16.3.2/24
       routes:
         - to: 172.16.6.0/24
           via: 172.16.3.1
     en-vl20:
       id: 20
       link: ens34
       addresses:
         - 172.16.4.2/24
       routes:
         - to: 172.16.7.0/24
           via: 172.16.4.1
     en-vl30:
       id: 30
       link: ens34
       addresses:
         - 172.16.5.2/24
    vlans:
      en-vl10:
       id: 10
       link: ens34
       addresses:
         - 172.16.3.2/24
       routes:
         - to: 172.16.6.0/24
           via: 172.16.3.1
     en-vl20:
       id: 20
       link: ens34
       addresses:
         - 172.16.4.2/24
       routes:
         - to: 172.16.7.0/24
           via: 172.16.4.1
     en-vl30:
       id: 30
       link: ens34
       addresses:
         - 172.16.5.2/24

Use sudo netplan apply to apply your changes. Run ip route to verify that your new routes have been added to the kernel's routing table.

Examine Network Connections

View Active Connections Using ss

Use sudo ss -tp to view your active TCP connections. Also, try sudo ss -tap and sudo ss -tapn to observe the entire list of TCP connections. Start a second terminal window and use it to connect to your server. View the change to the list produced by sudo ss -tp.

Probe a Remote Host Using nmap

Use nmap -h to review the types of network scans you can do. Try nmap neighbourIP where neighbourIP is the IP address of your host computer.

Configure Your Host OS to Reach the VLANs

On your host laptop OS, add the hostname (e.g. pcNNNNNNNNN) and primary IP (e.g. 192.68.xxx.99) of your second Linux interface to your host laptop's hosts file. Open ( as Administrator) and edit c:\windows\system32\drivers\etc\hosts on your Windows host. The file is located at /etc/hosts on Linux, Unix, or MacOS hosts.

Add private routes on your host OS to the networks 172.16.3.0/24, 172.16.4.0/24, and 172.16.5.0/24 via your Linux server. You are effectively using the Linux server as the gateway to reach them.

NOTICE: These route settings in your host OS are temporary and will not persist after a reboot! You may want to add these commands that add the routes for each VLAN in a .bat (Windows) or a .sh (in *nix) script file, so you can quickly execute them the next time you need them.

Since we want our Linux server to forward packets between interfaces (act as a router), we need to enable that on the Linux machine. On your Linux machine, the following commands will enable IP forwarding and make the change persistent:

# Enable this configuration on the currently running kernel in memory
sudo sysctl -w net.ipv4.ip_forward=1

# Add it to the configuration file, so the same setting will be applied on each bootup
sudo sed -i 's/.*net.ipv4.ip_forward.*/net.ipv4.ip_forward=1/' /etc/sysctl.conf
# Enable this configuration on the currently running kernel in memory
sudo sysctl -w net.ipv4.ip_forward=1

# Add it to the configuration file, so the same setting will be applied on each bootup
sudo sed -i 's/.*net.ipv4.ip_forward.*/net.ipv4.ip_forward=1/' /etc/sysctl.conf

Verify that the host laptop knows your Linux machine hostname and that the private routes work by running the following commands in a terminal, cmd or powershell window under your host OS:

ping pcNNNNNNNNNN
ping 172.16.3.2
ping 172.16.4.2
ping 176.16.5.2
ping pcNNNNNNNNNN
ping 172.16.3.2
ping 172.16.4.2
ping 176.16.5.2

Explore the cockpit tool

Connect to the cockpit webapp on your server using a web browser to access port 9090 on your server at the URL: http://pcNNNNNNN:9090. Log in using the account you made for yourself using your first name in the last lab. Explore the cockpit webapp.

Set Up Your Firewall Using ufw

View your firewall status.

sudo ufw status
sudo ufw status

Add a rule for SSH to be allowed through your firewall and enable the ufw ruleset. Recheck the firewall status to see what changed.

sudo ufw allow 22/tcp
# enables the firewall if not enabled
sudo ufw enable
# You should see your firewall rule applied for IPv4 and IPv6
sudo ufw status
sudo ufw allow 22/tcp
# enables the firewall if not enabled
sudo ufw enable
# You should see your firewall rule applied for IPv4 and IPv6
sudo ufw status

Tip: If you make a mistake and will need to modify or delete a specific UFW rules, an easy way to accomplish it is by using the numbered option. Refer to man ufw for more information. Here is an example:

ali@pc20059995:~$ sudo ufw status numbered
Status: active
     To                         Action      From
     --                         ------      ----
[ 1] 22                         ALLOW IN    Anywhere   # <--An extra rule!!!
[ 2] 22/tcp                     ALLOW IN    Anywhere    
[ 3] 22/tcp (v6)                ALLOW IN    Anywhere (v6) 
ali@pc20059995:~$ sudo ufw delete 1
Deleting:
 allow 22
Proceed with operation (y|n)? y
Rule deleted
ali@pc20059995:~$ sudo ufw status numbered
Status: active
     To                         Action      From
     --                         ------      ----
[ 1] 22                         ALLOW IN    Anywhere   # <--An extra rule!!!
[ 2] 22/tcp                     ALLOW IN    Anywhere    
[ 3] 22/tcp (v6)                ALLOW IN    Anywhere (v6) 
ali@pc20059995:~$ sudo ufw delete 1
Deleting:
 allow 22
Proceed with operation (y|n)? y
Rule deleted

Try using your web browser to access the cockpit webapp. Verify you can no longer access them due to the firewall being turned on. Use the iptables low-level command to see the kernel firewall ruleset you now have in place.

sudo iptables --list
sudo iptables --list

Allow access to cockpit through your firewall and recheck your firewall status to see what changed.

sudo ufw allow 9090/tcp
sudo ufw status
sudo ufw allow 9090/tcp
sudo ufw status

Verify you can access cockpit from your host OS using a web browser again. Explore the system management information you can access using the cockpit webapp.
Refer to the Ubuntu Server Guide for more information on how to use the Linux firewall and ufw in particular.

Evaluate your server